client certificate revocation checking

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi.
in our application we use authentication based on client ssl certificate. I've found out that the checking of client cert revocation is not done automatically, if the Crl Distribution Point is present in client certificate. Is it an intention or only not done yet?

The only way how to do revocation checking is to configure SSLCARevocationPath or SSLCARevocationFile.

The world of certificates is full of mess. Crl Distribution Point is not mandatory. So if it is not present, it is the last chance to do checking thorugh SSLCARevocation* vars. So they have their meaning.
I've found a discussion about reloading values of SSLCARevocation*
 http://markmail.org/message/nrhnyd6dppl25uxj
 From:     Erwann ABALEA (eaba...@xxxxxxxxx)
  Date:    Oct 15, 2008 9:08:30 am
  List:    org.apache.httpd.dev
"CRL refreshing should also be taken into account; killing and restarting a webserver every hour or every day because we downloaded a new CRL is not a viable solution in a production environment, and OCSP is not always a good answer (we're not talking about a sub-minute revocation status)."

So my question is. Is the CRL refreshing (reload of CRL files) done in the current Apache versions?

And in the end, what about OCSP -  is it supported?

Jan.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux